Setting up Ubuntu 16.04 as webserver

Foreword

This guide assumes that you are working on a fresh copy of Ubuntu 16.04. This guide will cover the following:

  • SSH port will use Port 9999
  • Root User will use SSH private key and does not need to be prompted for password
  • Setting up a Sudo-er User (a non-root user that can issue root commands by using the sudo utility). In this guide we will setup user: arvil
  • Setting up the Sudo-er to login with SSH private key and does not need to be prompted for password.
  • All other (non-root, non-sudoer) Users can login by regular username/password SSH authentication.
  • Setting Timezone to use Asia/Manila
  • Setting en_US.UTF-8 as locale
  • Setting up ufw (firewall)

Update packages

  • Create a new screen session
  • Login with the default root user.
  • Issue the following command to retrieve new package information and upgrade outdated packages:
screen -S setup
apt update
apt upgrade -y

# For one-liner command
apt update && apt-upgrade -y

also clean up old packages:

apt autoremove -y

Setting up SSH

  • Create the directory and file required
  • Copy the public key you generated to that file
mkdir -p ~/.ssh
touch ~/.ssh/authorized_keys
vim ~/.ssh/authorized_keys

#or 1 liner
mkdir -p ~/.ssh && touch ~/.ssh/authorized_keys && vim ~/.ssh/authorized_keys

Creating and setting sudo-er User

(A non-root user that can issue elevated commands)

  • Issue the following command to create a new user arvil
  • Add arvil to sudo group
  • Confirm that he is on our sudoer group
adduser arvil
usermod -aG sudo arvil
grep 'sudo' /etc/group

# or one liner
adduser arvil && usermod -aG sudo arvil && grep 'sudo' /etc/group

#should output:
#sudo:x:<some-number>:arvil

Setting up the new user SSH

  • Login as the new sudoer user
  • Also implement the SSH keys for it
  • Copy public key to its authorized_keys file
su - arvil
mkdir -p ~/.ssh && touch ~/.ssh/authorized_keys && vim ~/.ssh/authorized_keys

# after copying the key, logout to return to root
logout

Update SSH config file

  • Replace SSH Port. Port 22 => Port 9999 (we would login on Port 9999 instead of Port 22)
  • Disable PasswordAuthentication for root and sudoer group. For other users, allow them to use their password.
  • Test the changes made in the SSH config file, if no error reboot, otherwise fix as per error message
vim /etc/ssh/sshd_config

#Find `Port`
Port 9999

# At the end of the file
#  append the following:
PasswordAuthentication yes
Match User root
    PasswordAuthentication no
Match Group sudo
    PasswordAuthentication no

#Test the changes made
sshd -t

# If no error, restart sshd server
reboot
  • Try logging in with root and arvil on new Port 9999
  • They should both prompt that they need the proper private key in order to login

Update Timezone

As per this guide, we will update timezone to use Asia/Manila

# Confirm that the `date` output is not our desired timezone
date

# Change timezone, to list all available timezone issue: `timedatectl list-timezones`
sudo timedatectl set-timezone Asia/Manila

# In case that the VPS does not have timedatectl
# bash: timedatectl: command not found
sudo apt install systemd-services

Update locale (support UTF-8 encoding)

For this guide we will use en_US.UTF-8 locale

# Confirm that we are not using `en_US.UTF-8`
locale

# Update
sudo locale-gen en_US.UTF-8
export LANGUAGE=en_US.UTF-8
export LANG=en_US.UTF-8
export LC_ALL=en_US.UTF-8
locale-gen en_US.UTF-8
dpkg-reconfigure locales
sudo reboot
sudo locale

# If that did not work:
sudo apt-get purge locales
sudo apt-get install locales
sudo update-locale LC_ALL=en_US.UTF-8 LANG=en_US.UTF-8
sudo dpkg-reconfigure locales
sudo reboot

Setup UFW Firewall

  • Whitelist OpenSSH
  • Whitelist our custom SSH Port (9999)
  • Enable ufw
  • Check ufw status if it worked
  • Reboot
# Check UFW status
sudo ufw status

# List available app that can be added to
sudo ufw app list

# Make sure OpenSSH is allowed by ufw, if not:
sudo ufw allow OpenSSH

# Whitelist our custom SSH Port
sudo ufw allow 9999

# Enable ufw
sudo ufw enable

# Check status:
sudo ufw status

# Should output:
# arvil@ubuntu-512mb-sgp1-01:~$ sudo ufw status
# Status: active
# 
# To                         Action      From
# --                         ------      ----
# OpenSSH                    ALLOW       Anywhere
# 9999                       ALLOW       Anywhere
# OpenSSH (v6)               ALLOW       Anywhere (v6)
# 9999 (v6)                  ALLOW       Anywhere (v6)

sudo reboot